1) In order to quickly decrypt and check an OpenIDM managed user’s password, you can simply write this simple decrypt-endpoint.js javascript file:
if (request.method == "query") {

var user = openidm.read("managed/user/"+request.params.uid) ;
var passwd = openidm.decrypt(user.password) ;
} else {
throw "Unsupported operation: " + request.method;
}
passwd

You can then invoke it through a endpoint: put the following endpoint-decrypt.json file in the OpenIDM configuration directory:

{
    "context" : "endpoint/decrypt",
    "type" : "text/javascript",
    "file" : "script/decrypt-endpoint.js"
}

You should then be able to decrypt an OpenIDM user’s password this way, provided that you know the user’s identifier (_id) in OpenIDM:

curl -user:password https://openidm:port/openidm/endpoint/decrypt?uid=bob

2) Another way to encrypt or decrypt passwords in OpenIDM is shown below:

$ cd $OPENIDM_HOME
$ echo -n '{"password":"somepassword"}' > /tmp/cleartext_passwordfile.json
$ java -jar bundle/json-crypto-cli-1.1.0.jar -alias openidm-sym-default -encrypt -srcjson \ 
 /tmp/cleartext_passwordfile.json -destjson /tmp/encoded_passwordfile.json -keystore \ 
 $OPENIDM_HOME/security/keystore.jceks -storepass changeit -storetype jceks
$ java -jar bundle/json-crypto-cli-1.1.0.jar -alias openidm-sym-default -decrypt -srcjson  
 /tmp/encoded_passwordfile.json -destjson  /tmp/quoted_result.json -keystore /opt/openidm/security/keystore.jceks \
 -storepass changeit -storetype jceks
$ cat /tmp/quoted_result.json
"somepassword"
$

Note: json-crypto-cli-1.1.0.jar can be downloaded from here

3) If you need to implement business roles so that users can initiate some workflows from the OpenIDM web GUI, and you want available workflows to depend on the user’s roles, here’re the important settings to respect:

– you must edit the process-access.json file in the OpenIDM configuration directory to define which role gives access to which workflow. For example, let’s consider this definition:

{
    "workflowAccess" : [
        {
            "propertiesCheck" : {
                "property" : "_id",
                "matches" : "requestLDAPGroup",
                "requiresRole" : "employee"
            }
        }
    ]
}

It means the workflow which BPMN process id is « requestLDAPGroup » can be initiated by people with the employee role only.

In order to assign users the employee role, (by default, roles are stored in a field called « roles » which takes CSV formated values only), you can for example use the following syntax in the sync.json file:

"onCreate" : {
                "type" : "text/javascript",
                "source" : "target.roles = 'openidm-authorized,employee'"
}
Les derniers articles par janua (tout voir)